Try 75 free CIRO Director questions across the exam domains, with answers and explanations, then continue in Securities Prep.
This free full-length CIRO Director practice exam includes 75 original Securities Prep questions across the exam domains.
The questions are original Securities Prep practice questions aligned to the exam outline. They are not official exam questions and are not copied from any exam sponsor.
Count note: this page uses the full-length practice count maintained in the Mastery exam catalog. Some exam sponsors publish total questions, scored questions, duration, or unscored/pretest-item rules differently; always confirm exam-day rules with the sponsor.
| Item | Detail |
|---|---|
| Issuer | CIRO |
| Exam route | CIRO Director |
| Official route name | CIRO Director and Executive Exam |
| Full-length set on this page | 75 questions |
| Exam time | 150 minutes |
| Topic areas represented | 8 |
| Topic | Approximate official weight | Questions used |
|---|---|---|
| Element 1 — General Regulatory Framework | 7% | 7 |
| Element 2 — Dealer Business Model | 9% | 9 |
| Element 3 — Offering and Distribution of Securities | 7% | 7 |
| Element 4 — Corporate Governance and Ethics | 12% | 12 |
| Element 5 — Duties, Liabilities and Defences | 8% | 8 |
| Element 6 — Risk Management and Internal Controls | 12% | 12 |
| Element 7 — Significant Areas of Risk | 10% | 10 |
| Element 8 — UDP Responsibilities | 10% | 10 |
Topic: Element 1 — General Regulatory Framework
An Investment Dealer currently routes client orders only to a visible exchange. It plans to add a midpoint dark marketplace that does not display pre-trade quotes and dealer-sponsored direct electronic access on an exchange for certain institutional clients. Before launch, the Board Risk Committee asks what governance step is most appropriate, given that market structure and trading risks differ by venue type. Which action best aligns with CIRO and CSA expectations?
Best answer: D
What this tests: Element 1 — General Regulatory Framework
Explanation: Marketplace type affects transparency, execution quality, information leakage, and access risk. A dealer therefore needs documented, venue-specific oversight rather than assuming the same policy or the marketplace operator’s rules are enough.
The key principle is that the dealer remains responsible for execution quality, supervision, and risk management across all venues it uses. A visible exchange, a dark marketplace, and dealer-sponsored direct electronic access create different market-structure features and different risks, so senior management and the Board should require a venue-specific review before approving the expansion.
Relying only on venue rules, a generic policy, or cost metrics would miss the dealer’s own governance and oversight obligations.
Different marketplace types change transparency, order handling, and access risk, so the dealer needs venue-specific execution oversight and controls before launch.
Topic: Element 6 — Risk Management and Internal Controls
An Investment Dealer’s Board Risk Committee receives the following memo about a prime brokerage counterparty.
Exhibit: Credit policy extract and exception report
Which action is most consistent with the firm’s credit risk management policy?
Best answer: A
What this tests: Element 6 — Risk Management and Internal Controls
Explanation: Credit risk procedures must set clear limit, approval, and escalation rules, then be followed. Here, the exposure has been over limit for 5 days and the collateral deficiency is above the stated trigger, so immediate escalation to the Risk Committee chair is required.
Effective credit risk management policies do more than set exposure limits; they also assign independent approval authority, define how long exceptions may remain open, and require prompt escalation when risk exceeds tolerance. In the exhibit, the business line cannot approve an exception, the Chief Risk Officer’s temporary authority ends after 3 business days, and any collateral deficiency above CAD 1 million also triggers same-day escalation. Northlake breaches both escalation conditions: the exposure has been over limit for 5 days and the deficiency is CAD 1.3 million. The proper governance response is immediate escalation for formal committee action and remediation. The expected wire may help later, but it does not suspend the policy’s current approval and escalation requirements.
The excess exceeds the Chief Risk Officer’s 3-day authority, the collateral deficiency is above CAD 1 million, and business-line approval is not permitted.
Topic: Element 7 — Significant Areas of Risk
At a board risk committee meeting, management reports that a new outsourced reconciliation system has produced incomplete daily segregation reports for five business days because some client positions are not feeding into the file. No client loss is known, but the firm cannot prove complete daily segregation of client securities. Management wants to wait for the vendor patch next week and keep using ad hoc spreadsheets. Which risk-mitigation approach best addresses the most material risk?
Best answer: A
What this tests: Element 7 — Significant Areas of Risk
Explanation: The most material risk is the firm’s inability to evidence proper segregation of client assets, not the vendor delay itself. The best response is immediate compensating controls with senior escalation and temporary limits on exposure until the control gap is remediated.
When a critical outsourced control breaks, the Investment Dealer remains responsible for the control outcome. Here, the key risk is safekeeping and segregation: the firm cannot demonstrate that all client positions are properly captured and monitored each day. That requires an immediate operational and governance response, not a wait-and-see approach.
Extra capital, client messaging, or a later audit may be helpful in other contexts, but they do not fix the immediate control failure over client assets.
This directly addresses the live client-asset control failure by restoring oversight and reducing exposure until the deficiency is fixed.
Topic: Element 3 — Offering and Distribution of Securities
North Ridge Energy Inc. is a TSX-listed reporting issuer in Ontario, Alberta, and British Columbia. It wants to launch a public common share offering next week. External counsel tells the board that a short form prospectus is available only if the issuer’s continuous disclosure record is current, including a current annual information form (AIF); otherwise the issuer must use a prospectus under NI 41-101. North Ridge’s current AIF has not yet been filed after an internal reorganization. Which action best aligns with securities-law and governance expectations?
Best answer: D
What this tests: Element 3 — Offering and Distribution of Securities
Explanation: The board should match the offering method to the issuer’s actual disclosure status. If the issuer is not currently eligible for a short form prospectus because its AIF is missing, the proper course is to fix that gap first or use the NI 41-101 prospectus process instead of hoping the deficiency can be cured later.
The core concept is that a public offering must use the prospectus regime that fits the issuer’s current disclosure record. A short form prospectus under NI 44-101 is meant for issuers whose ongoing disclosure is already current and reliable, because investors and regulators rely on that record by incorporation by reference. Here, the stem states that a current AIF is required for short-form access, and the issuer does not have one on file. A board acting prudently should therefore require management either to bring the disclosure record current before using the expedited route or, if timing does not permit that, to use a prospectus under NI 41-101 with full current disclosure. Underwriter diligence supports the process, but it does not replace the issuer’s own eligibility and disclosure obligations.
Short-form access depends on a current disclosure record, so the board should cure the missing AIF first or use the NI 41-101 prospectus route.
Topic: Element 7 — Significant Areas of Risk
At a Board Risk Committee meeting, directors debate what belongs in the Investment Dealer’s annual inventory of significant areas of risk.
Exhibit: Board-approved risk policy excerpt
Which interpretation is most supported by the exhibit?
Best answer: C
What this tests: Element 7 — Significant Areas of Risk
Explanation: The policy defines significance by potential material effect on clients, compliance, capital or liquidity, operations, or reputation. It also expressly includes outsourcing and control functions, so a non-revenue outsourced platform can still be a significant area of risk.
For an Investment Dealer, a significant area of risk is defined by potential material impact, not by whether the activity is a profit centre or whether a loss has already happened. The exhibit makes clear that significant risk can arise in business lines, products, processes, technology, outsourcing arrangements, and control functions. If failure in any of those areas could materially harm clients, create a legal or CIRO compliance problem, impair capital or liquidity, disrupt critical operations, or damage reputation, the area belongs in the firm’s significant-risk inventory.
This means the Board and senior management should look beyond front-office desks. Shared services, vendors, surveillance tools, and control functions can all be significant when their failure could materially affect the firm or its clients. The closest trap is treating significance as a backward-looking concept tied only to actual losses rather than material potential impact.
The exhibit expressly includes outsourcing arrangements and bases significance on potential material impact, not on revenue generation.
Topic: Element 2 — Dealer Business Model
A Board is reviewing management’s proposal to move part of the firm’s retail business from an introducing broker arrangement to a carrying broker model. The directors want to identify the function that would now sit with the firm and require materially more operations, control, and capital support. Which function best matches the carrying broker role?
Best answer: D
What this tests: Element 2 — Dealer Business Model
Explanation: The carrying broker role is defined by custody, recordkeeping, and post-trade infrastructure, especially holding client assets and handling clearing and settlement. Those functions materially increase the need for systems, reconciliations, controls, and oversight, which is why senior management and the Board should focus on them when resourcing the business.
The key service-line distinction is that a carrying broker performs the core account-carrying infrastructure for clients, including custody of client cash and securities, segregation and safekeeping, books and records, and clearing and settlement. From a Board and senior management perspective, that matters because these functions require stronger operational capacity, control frameworks, and financial resources than an introducing-only model.
In contrast, the introducing side is centered more on the client-facing relationship and, depending on the arrangement, activities such as account opening, advice, or suitability oversight. Corporate finance advisory for issuers and online order-entry platforms are separate service lines; they do not define the carrying broker function. The closest distractor is the client relationship and suitability activity, but that is not what makes a firm the carrying broker.
A carrying broker typically holds client cash and securities and performs the clearing and settlement functions that drive major operational and control requirements.
Topic: Element 6 — Risk Management and Internal Controls
The board of a growing Investment Dealer approves a plan to expand into self-directed options trading after seeing strong projected revenue. Management did not provide an enterprise risk assessment, stress testing, or revised risk appetite limits, and the board did not require them. Within six months, margin exceptions, complaint volumes, and technology incidents rise, and remediation costs consume much of the expected profit. What is the most likely consequence of this omission?
Best answer: B
What this tests: Element 6 — Risk Management and Internal Controls
Explanation: Strategic growth decisions should be tested against risk appetite, control capacity, and downside scenarios, not just projected revenue. Here, the missing risk assessment led to real control failures and remediation costs, so the likely consequence is a reassessment or slowdown of the strategy and weaker risk-adjusted returns.
This tests risk-adjusted strategic decision-making. Directors and executives should assess whether expected growth still creates value after considering operational strain, supervision demands, conduct risk, technology capacity, capital usage, and downside scenarios. In the scenario, the board approved expansion without an enterprise risk assessment, stress testing, or updated risk appetite limits. Once margin exceptions, complaints, and technology incidents appeared, the omitted risks became real costs. The likely consequence is that management and the board must redirect resources to remediation, reconsider the pace or scope of the rollout, and reassess whether the business still meets the firm’s risk-return objectives. The key point is that unassessed risk often shows up as reduced profitability, weaker capital flexibility, and delayed growth rather than as a purely theoretical issue.
Because the risks were not built into the decision, the firm must absorb control and remediation costs before growth can continue, reducing risk-adjusted returns.
Topic: Element 3 — Offering and Distribution of Securities
NorthPoint Securities Inc., a listed investment dealer, is considering an overnight treasury offering. The board receives this memo excerpt:
Which board instruction is the only supported response?
Best answer: A
What this tests: Element 3 — Offering and Distribution of Securities
Explanation: A confidential material change filing can support delayed public disclosure only when the legal conditions are met and confidentiality is maintained. That does not permit broad selective disclosure; pre-announcement information should be limited to participants who need it for the issuance, such as underwriters and professional advisers.
The key concept is the distinction between delayed public disclosure and prohibited selective disclosure. If immediate public disclosure of a material change would be unduly detrimental, the issuer may rely on a confidential material change report, but only while confidentiality is actually preserved. That filing mechanism does not create a general right to tell chosen market participants first.
In a securities issuance, limited disclosure to underwriters, external counsel, and auditors can fall within the necessary course of business because they need the information for diligence, structuring, and document preparation. By contrast, telling supportive shareholders merely to avoid surprise, or telling analysts so they can update models, goes beyond that narrow transactional purpose and raises selective disclosure concerns.
The board should therefore pair any delayed public disclosure with a confidential filing and tight need-to-know controls.
This matches the memo: delayed public disclosure requires the confidential filing conditions, and any pre-announcement disclosure must stay within the necessary course of business.
Topic: Element 1 — General Regulatory Framework
North Shore Securities Inc. is a federally incorporated Investment Dealer. In its annual legal review, the Board wants the workstream that belongs primarily under the Canada Business Corporations Act rather than privacy, anti-money laundering, or electronic marketing rules. Which action best fits that statute’s purpose?
Best answer: C
What this tests: Element 1 — General Regulatory Framework
Explanation: The Canada Business Corporations Act is the core federal corporate statute for federally incorporated companies. It addresses how the corporation is organized and governed, including bylaws, directors, meetings, shareholder rights, and basic corporate compliance, so the governance workstream is the best fit.
The decisive factor is the statute’s purpose. For a federally incorporated Investment Dealer, the CBCA provides the legal framework for the corporation itself: incorporation, articles and bylaws, board and officer authority, meetings, shareholder voting, stakeholder protections within corporate law, and required corporate records and compliance. A board project focused on bylaws, meeting procedures, and shareholder voting therefore falls directly within the CBCA.
The other actions are important, but they belong to different federal regimes. Suspicious transaction monitoring is tied to anti-money laundering and FINTRAC reporting. Personal information consent is a privacy-law issue. Consent for commercial electronic messages is an anti-spam compliance issue. The governance-focused option is the only one that matches the CBCA’s central corporate-law role.
The CBCA governs the corporation’s legal structure, internal governance, shareholder rights, and related corporate compliance.
Topic: Element 4 — Corporate Governance and Ethics
A Director of Northern Peak Securities, an Investment Dealer, tells the Board Chair that she has already accepted an unpaid board seat with a reporting issuer. The issuer is also a current corporate finance client of the firm and is considering a bought-deal financing led by the firm. She did not seek advance approval. What is the best next step for the firm?
Best answer: B
What this tests: Element 4 — Corporate Governance and Ethics
Explanation: The outside role creates an immediate conflict-review issue because it involves a current client and a possible financing mandate. The firm should respond right away with disclosure, assessment, documentation, and temporary recusal rather than ignore the issue, wait, or jump straight to an automatic ban.
When a Director or Executive proposes or has taken on an outside activity, the firm should first assess whether it creates an actual or reasonably foreseeable conflict, confidentiality risk, divided loyalties, or an impairment of the person’s ability to discharge firm duties. Here, the outside board seat involves a current client and a pending capital-markets transaction, so the matter requires prompt action, not routine follow-up later.
The key takeaway is that the firm should use a structured approval and control process before allowing the activity to continue.
The firm should promptly assess and document the outside activity, impose interim recusal, and then decide whether the role can continue with conditions or must end.
Topic: Element 6 — Risk Management and Internal Controls
Which of the following is a detective control in an Investment Dealer’s internal control framework?
Best answer: B
What this tests: Element 6 — Risk Management and Internal Controls
Explanation: Detective controls are designed to find errors, irregularities, or breaches so they can be investigated and corrected. Reviewing daily exception reports fits that purpose because it surfaces unusual activity after it appears, while the other controls are intended to stop or reduce problems in advance.
The key distinction is purpose and timing. A detective control is designed to identify that an error, breach, or irregularity has occurred or may be occurring, typically through monitoring tools such as exception reports, reconciliations, surveillance, or post-event reviews. Reviewing daily exception reports for unusual trades is therefore a detective control because it highlights activity that should be examined.
Preventive controls are different: they are meant to stop the problem before it happens. System-enforced limits, approval requirements, and segregation of duties all aim to reduce the chance that an improper transaction or control failure will occur in the first place. A useful shortcut is that detective controls find and escalate issues, while preventive controls block or deter them upfront.
Exception-report review is detective because it identifies unusual activity for investigation rather than stopping it beforehand.
Topic: Element 2 — Dealer Business Model
The board of an Investment Dealer is asked to approve the integration plan for an acquired online brokerage. The plan treats all 22,000 client accounts as one “digital retail” population and applies one post-acquisition service and supervision model. The memo does not identify whether the accounts are order-execution-only, advised, managed, cash, margin, registered, or non-registered. What should the board verify first?
Best answer: D
What this tests: Element 2 — Dealer Business Model
Explanation: Before approving one common integration model, the board needs evidence that the affected accounts are actually similar enough to be supervised and serviced the same way. Account type is the key missing fact because it drives what activities are permitted and what controls the firm must apply.
In a senior governance decision, the first question is whether management has classified the population correctly. Here, the integration plan assumes one model for all acquired accounts, but account type can materially change the firm’s obligations and operational constraints. Order-execution-only, advised, and managed accounts do not carry the same service and supervision expectations, and cash, margin, registered, and non-registered accounts can differ in documentation, permissions, and control requirements.
Without an account-type breakdown tied to the proposed destination model, the board cannot assess whether the migration plan is compliant, operationally sound, or aligned with risk appetite. Forecasts, demographics, and staffing may matter later, but they do not answer the threshold governance question: does the proposed model fit the actual accounts being moved?
The missing threshold fact is how the accounts are classified, because account type determines permitted activity, service model, and required supervision.
Topic: Element 6 — Risk Management and Internal Controls
An Investment Dealer plans to launch a new institutional securities financing service in 30 days. The Board has delegated oversight of new control approvals to its Risk Committee. Management’s proposed limit and collateral checks exist only in emails, have not been tested for expected volumes, and have not been reported to the committee. What is the best next step?
Best answer: B
What this tests: Element 6 — Risk Management and Internal Controls
Explanation: A material new business activity should not start with informal or untested controls. Senior management should first formalize the controls in writing, assess whether they are adequate for the new risks, and take them to the delegated Board committee for review and approval.
The core issue is governance over new or changed controls. For a material new service, management should not rely on email instructions or verbal understandings. Controls should be formally documented, designed for the specific risks of the activity, reviewed for adequacy, and reported to the Board or the delegated Board committee for review and approval. That creates a clear record of oversight and gives Directors a basis to challenge whether the control environment is fit for purpose before launch.
A sound sequence is:
Waiting until after launch is the closest distractor, but it skips the required pre-launch governance safeguard.
Controls for a new activity should be adequate, written, and taken to the delegated Board committee for review and approval before go-live.
Topic: Element 8 — UDP Responsibilities
At a July 16, 2026 board risk committee meeting, the UDP reviews this extract from the firm’s CIRO examination tracker.
Exhibit:
Based on the exhibit, which action by the UDP is most appropriate?
Best answer: B
What this tests: Element 8 — UDP Responsibilities
Explanation: The UDP’s duty is not met by acknowledgment or delegation alone. Because the CIRO response is overdue and the high-risk finding has not been implemented or tested, the UDP should ensure a prompt response, a clear remediation plan, and follow-up until completion is evidenced.
The core concept is that the UDP must ensure issues raised in examination reports are both responded to and addressed. In the exhibit, the finding is high risk, the response deadline has already passed, and the firm has only a draft procedure. That means the issue is neither properly answered to CIRO nor demonstrably remediated.
Simply leaving the matter with management is not enough. A draft procedure is only a proposed fix, not proof that the deficiency has been corrected.
The response is overdue and the finding is not yet addressed, so the UDP must ensure prompt reply, accountable remediation, and evidence of completion.
Topic: Element 7 — Significant Areas of Risk
An Investment Dealer outsources online account opening, identity verification, and storage of new-account documents to a fintech vendor. Internal audit had warned that the outsourcing agreement did not guarantee timely access to records, cybersecurity testing rights, or incident escalation. After a ransomware attack at the vendor, the dealer cannot retrieve some client files during a CIRO review and discovers that personal information may have been exposed. No client losses or capital shortfall have yet been identified. What is the most likely immediate consequence for the dealer?
Best answer: A
What this tests: Element 7 — Significant Areas of Risk
Explanation: The immediate consequence is a supervisory and operational control issue for the dealer, not a transfer of responsibility to the vendor. In a CIRO context, the firm remains accountable for books and records, cybersecurity oversight, business continuity, and control of outsourced functions.
This scenario tests third-party outsourcing risk. When an Investment Dealer delegates account opening, KYC support, document storage, or other core functions to a vendor, the dealer still retains the regulatory obligation to supervise the activity and maintain access to required records. A ransomware event that prevents timely production of files during a CIRO review points first to the dealer’s weak outsourcing governance: inadequate due diligence, weak contract terms, insufficient incident escalation, and poor business continuity planning. The likely immediate result is regulatory scrutiny of the dealer, prompt remediation, and possible findings against the firm and accountable senior leadership. The dealer may later pursue the vendor contractually, but that does not displace the firm’s immediate responsibility to regulators and clients.
Outsourcing does not transfer regulatory duties, so CIRO would focus first on the dealer’s weak vendor oversight, records access, and cyber controls.
Topic: Element 1 — General Regulatory Framework
A Canadian Investment Dealer’s board risk committee reviews a package for a new online onboarding channel. The package includes written AML policies, an enterprise AML risk assessment, annual staff training, and a periodic independent effectiveness review. It also confirms privacy notices and recorded consent controls for commercial electronic messages. However, unusual activity will be handled by business-line managers, and no individual is designated as responsible for the AML program or external reporting. Which missing control is the clearest federal-statute deficiency?
Best answer: C
What this tests: Element 1 — General Regulatory Framework
Explanation: The decisive gap is the absence of a formally designated AML compliance officer. For an Investment Dealer subject to Canada’s AML regime, policies, training, and reviews are not enough unless a responsible person has authority to oversee the program and external reporting.
Under Canada’s AML framework, a reporting entity needs a compliance program with clear accountability, including a designated AML compliance officer. The stem already provides several expected elements: written policies, a risk assessment, training, and an effectiveness review, plus separate privacy and anti-spam controls. What is missing is ownership of AML escalation and reporting. If unusual activity is left with business-line managers and no one is formally responsible for the AML program, the firm creates uncertainty about who receives internal referrals, assesses suspicious activity, and ensures required reports are made to FINTRAC. At the board and executive level, that governance gap is a more serious statutory deficiency than adding extra reporting or stronger but optional privacy safeguards. A helpful dashboard would improve oversight, but it would not cure the missing accountable AML officer.
A FINTRAC-reporting entity must designate an AML compliance officer to oversee the program and suspicious transaction escalation/reporting.
Topic: Element 7 — Significant Areas of Risk
An Investment Dealer’s Board risk committee receives this weekly dashboard:
As the UDP, what is the best next step to mitigate the most material risk?
Best answer: A
What this tests: Element 7 — Significant Areas of Risk
Explanation: The most material risk is potential harm to client asset safeguarding, not the modest complaint increase or the current capital cushion. The best mitigation is immediate containment of the affected process, independent reconciliation of client positions, and close escalation until control is restored.
The core issue is safeguarding fully paid client securities after a system change. When reconciliation breaks remain unresolved for several days, manual overrides are being used, and exception reviews are already lagging, the firm faces an immediate operational and client-asset risk. The best response is to contain the source of the problem, verify client positions independently, and maintain active senior oversight until the breaks are resolved.
A capital buffer does not offset a control failure affecting client securities, and Board reporting should accompany immediate remediation rather than replace it.
Unresolved breaks in fully paid client securities create the highest immediate risk, so containment, independent verification, and prompt escalation are the strongest mitigants.
Topic: Element 7 — Significant Areas of Risk
An Investment Dealer’s board identifies orders breaching approved credit or position limits before execution as its most material trading risk. Which risk-mitigation approach best addresses that risk?
Best answer: B
What this tests: Element 7 — Significant Areas of Risk
Explanation: The best mitigation is a preventive control that stops the risky event before it happens. If the material risk is limit breaches before execution, automated pre-trade blocks address the root exposure more effectively than detective or loss-transfer measures.
This tests the difference between preventive, detective, corrective, and risk-transfer approaches. When the most material risk is an order exceeding approved credit or position limits before execution, the strongest response is to embed a control in the trading workflow that blocks the order automatically. That directly reduces the likelihood of the breach and the resulting market, compliance, and client harm.
Detective measures, such as exception reports or reconciliations, can help identify problems, but only after the exposure has already occurred or progressed. Insurance may offset some financial loss, but it does not prevent unauthorized trading, regulatory consequences, or control failures. The key takeaway is that the best mitigation is the one that most directly addresses the timing and source of the material risk.
A preventive control at the point of order entry best reduces the chance that the breach occurs at all.
Topic: Element 2 — Dealer Business Model
An Investment Dealer’s executive team proposes expanding its securities financing business. The plan is forecast to add $14 million of annual contribution before added control costs and capital charges, but it would also require $80 million of additional regulatory capital, more collateral operations staff, and tighter credit-risk monitoring. Several shareholders are pressing the board for higher ROE next year. Which response by the board best aligns with durable profitability oversight?
Best answer: D
What this tests: Element 2 — Dealer Business Model
Explanation: Durable profitability is not the same as maximizing short-term earnings or next year’s ROE. Because this proposal uses significant capital and increases credit and operational demands, the board should require a risk-adjusted review that includes capital consumption, downside scenarios, and control capacity before approving growth.
Boards should evaluate growth using sustainable, risk-adjusted profitability rather than headline revenue, margin, or a single-period ROE target. In this scenario, the proposed expansion consumes additional regulatory capital and increases credit and operational risk, so the economics must be assessed after considering capital usage, stress losses, and the cost and capacity of the control environment. That is consistent with prudent governance: management should show that the business still meets return objectives within the firm’s risk appetite and can be supervised effectively.
A choice based only on ROE, adjusted earnings, or pre-tax margin can overstate profitability by ignoring risk and resource consumption.
Durable profitability requires assessing returns after capital usage, downside risk, and the resources needed to control the activity.
Topic: Element 8 — UDP Responsibilities
An Investment Dealer’s quarterly compliance dashboard for the executive committee shows 14 incidents of client information being sent to personal email. The same weakness was cited in the prior CIRO examination, but management’s proposed action is only “send a reminder to staff.” The package includes no root-cause analysis, no accountable executive, no completion date, no follow-up testing, and no board-level escalation. As UDP, what is the best response?
Best answer: A
What this tests: Element 8 — UDP Responsibilities
Explanation: The decisive deficiency is the absence of formal escalation and documented remediation for a repeated significant compliance issue. A UDP should ensure the matter is elevated to the proper governance level, assigned to accountable management, and tracked until testing confirms the control weakness is fixed.
The core issue is failed escalation and remediation governance. Because the same weakness appeared in a prior CIRO examination, an informal reminder to staff is not an adequate response. The UDP is responsible for ensuring material compliance concerns are escalated appropriately and addressed through a credible remediation process.
Training, richer dashboard reporting, and a later audit review may all help, but they do not replace prompt escalation and a documented remediation plan for a repeated high-risk issue.
A repeated high-risk compliance weakness requires formal escalation and a documented remediation plan with accountable ownership and effectiveness testing.
Topic: Element 2 — Dealer Business Model
At a Board strategy meeting of a Canadian Investment Dealer, management presents the following:
Exhibit:
The Board uses ROA to review existing business lines and requires a minimum projected ROI of 15% for new projects. What is the best next step for the Board?
Best answer: A
What this tests: Element 2 — Dealer Business Model
Explanation: The Board should apply each measure to the decision it is designed for. ROA evaluates how efficiently the existing platform uses assets, while projected ROI evaluates whether the CRM investment is attractive before capital is committed.
ROA and ROI are related but not interchangeable. ROA measures profit generated from the asset base of an existing business line, so the wealth platform should be assessed as 6/120 = 5%. ROI measures expected return on a specific investment, so the CRM upgrade should be assessed as 1/5 = 20%, which is above the 15% hurdle. In a strategic review, the proper next step is then to challenge management’s assumptions, execution risks, and monitoring plan before approval. Approving first or waiting for actual post-launch results would use the metrics too late, and using only ROA would blur operating efficiency with project economics. The key takeaway is to match the profitability measure to the decision being made.
It uses ROA for the operating business, ROI for the new project, and preserves Board challenge before capital is committed.
Topic: Element 1 — General Regulatory Framework
The board of a Canadian Investment Dealer is reviewing a proposal for a smart order router for client trades in exchange-listed equities. The router would send orders to a recognized exchange and to several alternative trading systems (ATSs) that trade the same securities. A director asks which statement in management’s briefing is INCORRECT under Canadian marketplace rules and practice.
Best answer: C
What this tests: Element 1 — General Regulatory Framework
Explanation: The inaccurate statement is the claim that listed-share client orders cannot be routed to an ATS. In Canada, ATSs are marketplaces for secondary trading, so a dealer may route listed securities there if its order handling remains consistent with marketplace requirements and best execution.
The core concept is the distinction between an exchange’s listing role and an ATS’s trading role. Exchanges can list issuers and impose listing standards, while ATSs generally provide a venue for trading securities, including securities listed on an exchange, without becoming the listing venue. For a dealer’s board or executives, the regulatory implication is that ATS use is not prohibited simply because a security is exchange-listed; the real oversight issue is whether routing logic, supervision, and governance support compliant order handling and best execution across available marketplaces. The closest trap is assuming that exchange listing gives that exchange exclusive trading rights, which is not how Canadian equity market structure operates.
Exchange listing does not make ATS trading off-limits; ATSs may trade listed securities, subject to the dealer’s routing and best-execution obligations.
Topic: Element 3 — Offering and Distribution of Securities
Northline Analytics Inc., a non-reporting issuer with transfer restrictions and 38 beneficial shareholders, wants a quick $4 million financing before a possible public process next year. The dealer’s executive committee has been told that the financing must avoid a prospectus, preserve the issuer’s private issuer status, and close within 10 days; no offering memorandum will be prepared. Management proposes selling common shares to six arm’s-length brokerage clients, each investing $75,000, none of whom is an accredited investor or has any qualifying relationship with the issuer, plus the founder’s adult daughter. What is the best decision?
Best answer: A
What this tests: Element 3 — Offering and Distribution of Securities
Explanation: A distribution without a prospectus can proceed only for purchasers who independently fit an available exemption. Here, the founder’s adult daughter can qualify through the private issuer pathway, but the six arm’s-length clients are neither accredited investors nor otherwise eligible on the stated facts, and no offering memorandum will be used.
Prospectus exemptions are purchaser-by-purchaser and trade-by-trade. A private issuer cannot sell securities to any investor it chooses simply because it is non-reporting, has transfer restrictions, or is staying private; each purchaser still must fall within an available exemption. On these facts, the founder’s adult daughter can fit a permitted private issuer relationship, but the six arm’s-length brokerage clients do not meet the accredited investor definition and have no qualifying relationship with the issuer. Because no offering memorandum will be prepared, there is no other stated exemption for them. The dealer’s best governance decision is therefore to limit the financing to subscriptions that clearly qualify for an exemption and refuse the rest unless another valid exemption or a prospectus is used. Suitability controls help with dealer obligations, but they do not replace securities-law exemption requirements.
Each purchaser needs a valid prospectus exemption, and the six arm’s-length clients have none on the stated facts.
Topic: Element 5 — Duties, Liabilities and Defences
During a special audit committee meeting, directors learn that the CFO of a listed Investment Dealer appears to have altered a third-party bank confirmation that was used in a capital report sent to CIRO. The firm is near an early-warning trigger, quarter-end public filings are due the next day, and the CFO oversees the finance staff who hold the supporting records. The Board wants to respond proportionately but also recognize that the conduct may expose the individual and the firm to more than regulatory sanctions. What is the single best immediate Board decision?
Best answer: A
What this tests: Element 5 — Duties, Liabilities and Defences
Explanation: Using an altered third-party confirmation in a CIRO capital filing suggests intentional dishonesty, which may engage criminal concepts such as fraud or forgery, not just governance or regulatory failures. The Board should secure evidence, remove the CFO from influence, obtain independent legal advice, notify CIRO, and address disclosure and capital remediation at the same time.
When facts suggest deliberate falsification of documents used in a regulatory filing, the issue is not merely weak controls or a disclosure error. Intentional alteration of a bank confirmation can create potential criminal exposure, while the same event can also trigger regulatory reporting, capital remediation, employment action, and public-company disclosure decisions. A Board should separate those workstreams: protect the investigation by restricting the executive’s access, preserve records, and use independent counsel to assess the facts and legal exposure; in parallel, notify CIRO promptly and determine whether public disclosure or capital corrections are required. Resignation, policy fixes, or waiting for the regulator may address governance optics, but they do not adequately respond to possible criminal conduct or protect the integrity of the evidence.
Altering a third-party confirmation used in a regulatory filing raises possible fraud or forgery concerns, so the Board should secure evidence and launch an independent response while managing regulatory and disclosure consequences.
Topic: Element 4 — Corporate Governance and Ethics
The board of a Canadian Investment Dealer receives an internal audit report stating that branch manager bonuses are driven almost entirely by quarterly sales of the firm’s proprietary structured notes. The report also says two Executives discouraged escalation of suitability concerns to avoid missing revenue targets. No regulator has yet alleged a rule breach. Which response is most consistent with sound governance?
Best answer: D
What this tests: Element 4 — Corporate Governance and Ethics
Explanation: A board cannot treat conflicted compensation and suppressed escalation of suitability concerns as a routine sales issue. In a CIRO-regulated dealer, that combination signals a governance and conduct-risk problem requiring incentive redesign, independent review, and accountability for senior leadership.
Compensation is a governance tool, not just a pay decision. When incentives heavily reward sales of proprietary products and senior leaders discourage escalation of suitability concerns, the issue extends beyond one product line: it suggests poor ethical tone at the top and elevated conduct risk for the firm. The Board should respond through its oversight functions by reviewing the compensation framework, ensuring it supports compliant and client-focused behaviour, requiring independent testing of sales practices and controls, and addressing Executive accountability.
Waiting for a regulatory finding is too passive, because boards are expected to oversee culture and conflicts proactively. Enhanced disclosure alone also does not remove the incentive to push conflicted products. Treating the matter as merely a sales-management issue misses the Board’s responsibility for culture, compensation conflicts, and firm-wide conduct risk. The key takeaway is that poor tone at the top turns compensation design into a Board-level governance issue.
This response addresses both the compensation conflict and the tone-at-the-top failure through Board oversight, independent testing, and Executive accountability.
Topic: Element 8 — UDP Responsibilities
CIRO issues an examination report to an Investment Dealer identifying weak supervision of outside activities. The report requires a written response within 20 business days and evidence of remediation within 90 days. Management misses both deadlines, and the UDP does not follow up or escalate the matter to the Board. Six months later, the same deficiency remains. What is the most likely consequence?
Best answer: A
What this tests: Element 8 — UDP Responsibilities
Explanation: A UDP must ensure examination findings are answered and fixed, not merely delegated. Missing the required response and leaving the deficiency unresolved turns the matter into a governance and supervision issue, so CIRO would most likely escalate its oversight and consider restrictive or disciplinary action.
The UDP’s role is not satisfied by assigning the file to management. The UDP must ensure examination findings receive a timely response, that remediation is actually completed, and that missed deadlines or persistent weaknesses are escalated appropriately, including to the Board when necessary. When a firm ignores an examination report, CIRO is likely to view both the original deficiency and a separate governance or supervisory failure. The most likely immediate consequence is increased regulatory scrutiny and follow-up, which can progress to restrictions, terms and conditions, or disciplinary action if the matter remains unresolved. CIRO does not need to wait for a client complaint, proven loss, or an automatic capital trigger before acting.
Missed responses and unremediated findings signal a UDP oversight failure, which commonly leads to escalated regulatory scrutiny and possible sanctions.
Topic: Element 6 — Risk Management and Internal Controls
CIRO rules require an Investment Dealer to report a legal action filed against it within five business days. A dealer is served with a civil claim by former clients seeking $6 million. External counsel says the case is defensible, so management does not report it. Two months later, the omission is found during a CIRO review. What is the most likely consequence?
Best answer: A
What this tests: Element 6 — Risk Management and Internal Controls
Explanation: The immediate issue is the missed legal-action filing, not whether the dealer will ultimately lose the lawsuit. Once a claim is filed, CIRO expects prompt reporting so it can assess supervisory and prudential implications, and a defensible claim does not remove that obligation.
Legal-action reporting is triggered when the claim is filed against the Investment Dealer. Management cannot wait for a court decision, settlement, or accounting reserve before notifying CIRO. In this scenario, the most likely immediate consequence is that CIRO will require the overdue report and treat the failure to report on time as a regulatory compliance matter.
CIRO’s concern is not limited to whether the firm will eventually be found liable. It also needs timely visibility into potential legal, governance, operational, and prudential issues. A claim may later affect capital, provisioning, or broader supervisory treatment if the facts warrant it, but those are downstream assessments rather than the first automatic outcome.
The key takeaway is that the filing of the action starts the reporting obligation; management’s view of the claim’s merits does not suspend it.
Legal-action reporting is triggered by the filing itself, so the missed notice is a compliance breach even if counsel views the claim as defensible.
Topic: Element 3 — Offering and Distribution of Securities
During a bought-deal roadshow, an issuer’s investor relations manager allegedly told several prospective purchasers that a major customer had renewed a three-year contract. The contract had not been renewed, and some purchasers say they bought in the offering after hearing the comment. Management asks the board committee to approve a memo stating the issuer has little tort exposure because the statement was oral and not in the prospectus. What should the committee verify first?
Best answer: D
What this tests: Element 3 — Offering and Distribution of Securities
Explanation: The key first issue is whether the speaker was acting for the issuer when making the statement. An issuer can face common-law tort liability for oral misrepresentation, and may be vicariously liable if the employee spoke within assigned duties or apparent authority.
Common-law tort exposure is not limited to what appears in a prospectus. An issuer can face negligent or intentional misrepresentation claims for oral statements made to investors, and it may be vicariously liable if the speaker was acting within the course of employment or with apparent authority.
Here, the statement is alleged to be false, and reliance is at least asserted by purchasers. Before the board accepts a memo dismissing exposure, the most important unresolved fact is the link between the investor relations manager and the issuer when the statement was made. If the manager was speaking as part of the roadshow role, the oral nature of the statement does not remove the issuer’s tort risk.
Insurance, investor category, and board process records may matter later, but they do not answer the threshold liability question first.
If the manager spoke within employment duties or apparent authority, the issuer may still face vicarious liability for oral misrepresentation.
Topic: Element 8 — UDP Responsibilities
An Investment Dealer’s Head of Retail Supervision is an Executive responsible for a significant risk area. The Executive has twice failed to escalate recurring branch suitability exceptions and a backlog of unresolved complaint reviews, even though firm procedures require prompt escalation of material supervisory issues to the UDP. Internal audit tells the UDP that the Executive wants to “fix it quietly” and avoid informing the Board’s risk committee until quarter-end. Which response by the UDP is LEAST appropriate?
Best answer: A
What this tests: Element 8 — UDP Responsibilities
Explanation: When an Executive managing a significant risk area repeatedly fails to escalate material issues, the UDP must intervene with documented oversight and remediation. Waiting for confirmed losses and relying on informal reassurance is inconsistent with the UDP’s responsibility to ensure timely escalation and an effective compliance culture.
The UDP is expected to oversee Executives who manage significant areas of risk and to respond when those Executives are underperforming or not escalating appropriately. Here, the issue is both the underlying supervisory problems and the Executive’s repeated failure to escalate them. That means the UDP should move to active oversight: require documented remediation, set deadlines and reporting expectations, assess whether the Executive has the authority and resources to do the job, and use Board or committee escalation if the matter is significant. The absence of confirmed client loss does not justify delay, because unresolved control failures can worsen into broader regulatory, operational, or client-harm issues. The key takeaway is that repeated escalation failures require documented intervention, not passive trust.
A UDP cannot defer action based on informal assurances after repeated failures to escalate material supervisory issues.
Topic: Element 6 — Risk Management and Internal Controls
The board-approved credit policy of a Canadian investment dealer caps exposure to any single financed position at 10% of firm capital, and any exception requires independent risk sign-off and prompt notice to the Board Risk Committee. A hedge fund client wants a margin facility secured mainly by shares of a thinly traded small-cap issuer; approving it would raise the firm’s exposure on that position to 13% of capital. The business head wants to approve it before quarter-end because revenues are weak, but internal audit recently cited the firm for undocumented credit exceptions. As chair of the executive credit committee, what is the single best decision?
Best answer: D
What this tests: Element 6 — Risk Management and Internal Controls
Explanation: The proposed margin facility would exceed a board-approved concentration limit and is backed by thinly traded collateral. The best response is to stop the approval process until independent credit review is completed and any exception is formally documented and escalated under policy.
This is a credit-risk governance issue, not just a pricing or relationship issue. In securities-based financing, daily margining helps, but it does not remove concentration risk, collateral illiquidity, or the possibility that a thinly traded position cannot be liquidated quickly at expected values. Here, the request exceeds the firm’s stated risk appetite and the policy already prescribes how exceptions must be handled.
A sound executive response is to:
Quarter-end revenue pressure is not a valid reason to bypass controls, especially after an audit finding on undocumented exceptions. Raising margin or tightening terms may improve economics, but it does not cure the limit breach or the control failure.
Because the request breaches a board-approved concentration limit, it should not proceed without independent review, documented approval, and required escalation.
Topic: Element 7 — Significant Areas of Risk
At a special board risk-committee meeting, a mid-sized Investment Dealer presents the following:
Which risk-mitigation approach best addresses the most material risk?
Best answer: B
What this tests: Element 7 — Significant Areas of Risk
Explanation: The most material risk is a liquidity and capital shock, not a valuation, reporting, or conduct issue. A large illiquid position combined with concentrated short-term funding can quickly pressure the firm if lenders pull back, so the best mitigation is to reduce the exposure and strengthen funding capacity within formal limits.
This scenario points to a classic concentration-plus-liquidity risk. The firm may meet capital requirements today, but a large share of capital is trapped in one hard-to-sell position while funding is heavily dependent on two short-term lenders. If those lenders do not renew, the dealer could be forced to sell an illiquid asset under stress, damaging capital and business continuity. The best mitigation therefore addresses the balance sheet directly: reduce the concentrated exposure, line up reliable back-up funding, and impose board-approved concentration and liquidity limits supported by a tested contingency funding plan. Valuation work, enhanced reporting, and compensation changes may still help, but they do not remove the immediate rollover and forced-sale risk. The closest distractor improves oversight, but monitoring alone does not materially reduce the exposure.
The main threat is a near-term liquidity and capital squeeze from concentrated illiquid assets funded by unstable short-term borrowing, so mitigation must directly reduce exposure and strengthen funding resilience.
Topic: Element 8 — UDP Responsibilities
An Investment Dealer’s daily capital report shows that a sharp markdown in underwriting inventory caused a failure of one prescribed early warning test this morning.
Exhibit: Firm policy excerpt
The CFO expects a parent capital injection in 3 business days and suggests waiting. As UDP, what is the best next step?
Best answer: B
What this tests: Element 8 — UDP Responsibilities
Explanation: The UDP should respond immediately to the failed prescribed test, not wait for a hoped-for capital fix. The proper workflow is prompt notice to CIRO, application of the stated restrictions, board escalation, and remediation, with lifting left to CIRO.
Early warning is a capital and supervisory response process, not a wait-and-see exercise. Once the prescribed test is failed, the UDP should promptly notify CIRO, ensure the firm follows the stated early warning restrictions, escalate the matter to appropriate senior governance bodies, and prepare a credible remediation plan. A pending capital infusion may help resolve the issue, but it does not let the firm delay notification or continue restricted actions as usual.
CIRO also has discretion to impose added conditions, assess the adequacy of the firm’s corrective measures, and decide when the designation can be lifted. That means the firm cannot treat the situation as self-cured simply because management expects new capital soon. The closest wrong approach is internal escalation without immediate restriction compliance or regulator notice.
A failed prescribed test requires prompt CIRO notice and immediate compliance with early warning restrictions, and only CIRO can lift or vary the designation.
Topic: Element 4 — Corporate Governance and Ethics
An Investment Dealer’s governance committee is reviewing a proposed technology-outsourcing contract.
Exhibit: Committee extract
Based on the exhibit, what is the most appropriate action for the chair?
Best answer: A
What this tests: Element 4 — Corporate Governance and Ethics
Explanation: Ethical conduct at board level requires more than disclosing a personal interest. Because the code says a director must step back when independent judgment could reasonably be questioned, the chair should require recusal and let the remaining directors assess the vendors fairly.
The core issue is conflict management as part of ethical governance. Honesty requires Patel to disclose the holding, but proper care, fairness, and compliance require the board to manage the conflict so decision-making remains independent and trustworthy. Here, Patel has a direct economic interest in a bidder, the firm’s code expressly requires stepping back when independence could reasonably be questioned, and there is no urgency forcing the committee to rely on Patel during deliberations.
The chair should:
That approach protects the integrity of the process without assuming Vendor Q itself must be disqualified. The weaker alternatives confuse disclosure or expertise with a sufficient cure for a live conflict.
Disclosure alone is not enough where independent judgment could reasonably be questioned, so recusal best preserves fairness and compliance.
Topic: Element 4 — Corporate Governance and Ethics
An Investment Dealer with corporate finance, research, institutional sales, and proprietary trading is retained on a confidential financing for a listed issuer. The terms are material and non-public. The UDP wants a response that contains the information while still allowing legitimate mandate work. Which action is most appropriate?
Best answer: A
What this tests: Element 4 — Corporate Governance and Ethics
Explanation: Material non-public information in a mixed business-line dealer should be contained through formal information barriers and need-to-know access, not broad internal sharing. Controlled wall-crossings, internal lists, and supervised communications let the mandate team work while reducing leakage and misuse risk.
The core issue is containment, not simply awareness. When an Investment Dealer receives confidential issuer information that could affect market price, senior management should ensure that only personnel with a legitimate business need are brought over the wall. Access should be recorded and supervised by control functions, and the issuer should be placed on internal watch or restricted lists as appropriate so research, sales, and trading activity can be managed centrally. In a mixed business-line environment, broad circulation increases the number of insiders and weakens the barrier. A blanket freeze can be overbroad and still miss the real control point if access is not limited and documented. The best approach is targeted, documented need-to-know containment.
It applies the need-to-know principle through formal information barriers, controlled access, and centralized monitoring.
Topic: Element 3 — Offering and Distribution of Securities
A Board is reviewing how management plans to communicate while preparing a public offering. Which disclosure mechanism is correctly matched with its permitted use in Canada?
Best answer: C
What this tests: Element 3 — Offering and Distribution of Securities
Explanation: The permitted selective disclosure here is the confidential pre-filing made to securities regulators. That process is designed for regulatory review of draft offering documents, unlike selective communications of material issuance information to investors, analysts, or shareholders.
In Canadian securities issuance practice, the key distinction is between confidential disclosure to a regulator and selective disclosure to market participants. An issuer may submit a draft prospectus or similar offering materials to securities regulators on a confidential pre-file basis to obtain comments before a public launch. That is a controlled filing process, not a marketing communication. By contrast, giving material non-public offering information to selected investors, analysts, or shareholders can breach tipping and selective disclosure prohibitions unless a specific legal exception applies. Sophistication, existing ownership, or an NDA does not automatically make the communication permissible. For directors and executives, the practical question is whether the disclosure is part of a recognized regulatory or necessary-business process, rather than selective market outreach.
A confidential pre-file with securities regulators can be used to obtain comments on draft offering documents before public filing.
Topic: Element 1 — General Regulatory Framework
At a board risk committee meeting, management summarizes a CIRO compliance examination of a Canadian Investment Dealer: webinar slides overstated performance, some social-media posts were never approved, and several leveraged recommendations were unsuitable and not escalated by branch supervision. The directors ask what CIRO may properly do in response. Which statement is INCORRECT?
Best answer: A
What this tests: Element 1 — General Regulatory Framework
Explanation: CIRO’s mandate includes setting and enforcing standards for dealer conduct, supervision, sales practices, and external communications. It can examine firms and discipline firms or individuals, but it does not replace courts or other compensation mechanisms by adjudicating private damages claims.
CIRO is the self-regulatory organization for Canadian investment dealers and has authority to oversee member firms’ conduct, supervisory systems, sales practices, and external communications. In this scenario, misleading webinar content, unapproved social-media posts, and unsuitable leveraged recommendations all fall squarely within CIRO’s examination and enforcement mandate because they raise client-protection and supervision concerns. CIRO can investigate, require remediation, and pursue disciplinary outcomes such as fines, suspensions, and terms or conditions affecting the firm or responsible individuals. From a governance perspective, the board and UDP should treat these findings as a firm-level control issue requiring escalation, root-cause analysis, and corrective action. What CIRO does not do is act like a civil court to decide private damages claims for clients; those outcomes are generally addressed through complaint handling, OBSI, settlements, or civil proceedings.
CIRO can examine, regulate, and discipline, but it does not function as a court deciding private civil damages claims for clients.
Topic: Element 5 — Duties, Liabilities and Defences
The board of a Canadian investment dealer is asked to approve a five-year lease for a new head office. The proposed landlord was introduced by the COO, who says the rent is “market” and approval is needed this week. During discussion, a director recalls the COO mentioning an ownership interest in a real-estate company connected to the property, but no conflict note appears in the board package. Before approving the lease, what should the board verify first?
Best answer: C
What this tests: Element 5 — Duties, Liabilities and Defences
Explanation: The first issue is whether the COO stands to benefit personally from the transaction. A board cannot properly assess whether corporate assets are being used in the firm’s best interests until any direct or indirect conflict is identified and handled.
This tests fiduciary duty and conflict management. When a senior executive may have a personal interest in a proposed transaction, the board must first verify whether that interest actually exists and how direct it is. That fact determines whether disclosure, recusal, independent review, or a different approval process is needed before the firm commits its assets.
Commercial questions such as price, timing, and legal drafting are still important, but they are secondary until the board knows whether the recommendation is affected by self-interest. A fiduciary cannot use position or influence to steer corporate assets toward personal benefit, even if the terms might later appear competitive. The closest distractor is the market-rate comparison, which matters only after the conflict question is clarified.
A possible personal interest must be established first because fiduciary duties require the transaction to be assessed free from self-dealing.
Topic: Element 7 — Significant Areas of Risk
An Investment Dealer has expanded into derivatives and outsourced back-office processing. The Board has identified market, liquidity, technology, and operational risk as significant areas of risk, but Executive accountability for those areas is still informal. What action best aligns with CIRO expectations for managing these risks?
Best answer: D
What this tests: Element 7 — Significant Areas of Risk
Explanation: Managing significant areas of risk requires clear Executive ownership, not informal sharing. The firm should appoint qualified Executives and document each person’s authority, duties, and reporting lines so the Board and UDP can oversee an accountable framework.
The core governance expectation is that significant areas of risk have clearly assigned management accountability. Once the firm identifies material risk areas, it should appoint appropriately qualified Executives to be responsible for them and formally document each Executive’s mandate, authority, responsibilities, and reporting or escalation lines. That documentation helps the Board, its committees, and the UDP supervise the framework, challenge management effectively, and avoid gaps or overlap in responsibility.
A sound approach makes clear:
Leaving ownership informal weakens internal control and makes it harder to manage, monitor, and remediate risk. Board or committee oversight is important, but it does not replace named Executive accountability.
Clear, documented Executive ownership of each significant risk area is the core governance control needed for accountability, oversight, and escalation.
Topic: Element 5 — Duties, Liabilities and Defences
The board of a Canadian investment dealer approves a major outsourcing change after receiving detailed management materials, questioning assumptions, reviewing independent legal and technology advice, and recording its reasons. The project later performs poorly and causes losses. Which legal defence best matches the principle that a court should generally not second-guess this informed, good-faith board decision merely because the outcome was unfavourable?
Best answer: A
What this tests: Element 5 — Duties, Liabilities and Defences
Explanation: The described principle is the business judgment rule. It focuses on the quality of the board’s decision-making process—being informed, acting honestly, and considering relevant factors—rather than on whether the decision ultimately succeeded.
The core concept is the business judgment rule. In a governance context, courts generally defer to a board decision when Directors acted in good faith, were reasonably informed, considered the relevant risks and alternatives, and reached a decision that was within a reasonable range of outcomes. A bad result does not, by itself, prove that the board breached its duty.
The closest distractor is reliance on experts, because experts were consulted, but the stem asks about judicial deference to the overall board decision.
This is the business judgment rule because it protects an informed, honest board decision from hindsight review based only on a poor outcome.
Topic: Element 8 — UDP Responsibilities
CIRO issues an examination report to an Investment Dealer identifying repeat deficiencies in trade supervision and weak evidence that prior findings were fully remediated. The report requests a written response within 20 business days. As UDP, which action best aligns with your responsibility?
Best answer: D
What this tests: Element 8 — UDP Responsibilities
Explanation: The UDP must ensure examination findings are not only answered but actually remediated. The strongest action is a documented plan with clear owners, timelines, escalation, and follow-up testing to confirm the fixes work.
The core expectation is active oversight of remediation. A UDP may rely on the CCO, business heads, operations, or internal audit to perform parts of the work, but the UDP remains responsible for ensuring the firm responds to the examination report and that deficiencies are addressed effectively. In practice, that means documented action items, accountable owners, realistic deadlines, progress tracking, escalation of significant or repeat issues, and evidence that corrective measures are operating before an item is closed. A response letter by itself is not enough, and neither is an informal promise to fix issues later. The key distinction is between delegating tasks and retaining accountability for timely, effective remediation.
The UDP must ensure findings receive accountable, timely remediation and evidence of effective closure, not just a written reply.
Topic: Element 2 — Dealer Business Model
During a board review of service-line conflicts, management describes a policy under which research analysts report outside corporate finance, their compensation is not tied to a specific underwriting or M&A mandate, and draft reports may be reviewed only for factual accuracy before publication. Which function does this policy primarily support?
Best answer: D
What this tests: Element 2 — Dealer Business Model
Explanation: The policy addresses conflicts between research and corporate finance. Separate reporting lines, compensation limits, and factual-only review are classic controls used to help ensure research opinions are not shaped by underwriting or advisory business.
The core concept is research independence. When an Investment Dealer offers both corporate finance services and research, the firm must manage the risk that underwriting or M&A revenue will influence analyst views, report timing, or report content. Controls such as separate reporting lines, compensation not tied to specific mandates, and limiting outside review to factual verification are aimed at protecting the objectivity and credibility of published research. These measures reduce conflicts of interest, help prevent implicit promises of favourable coverage, and support fair treatment of investors who may rely on the firm’s research. Information barriers, underwriting due diligence files, and best execution monitoring are all important, but they address different risks in other parts of the dealer’s business model.
These controls are designed to keep research analysis and publication independent from banking incentives and issuer influence.
Topic: Element 4 — Corporate Governance and Ethics
A publicly listed Canadian investment dealer is finalizing its annual MD&A and management information circular over the next 10 days. Several institutional shareholders have asked about climate strategy and workforce diversity, and management wants the filings to describe the firm as a “sustainability leader.” The board has not yet assessed which ESG matters are material to the dealer’s strategy, risk profile, or executive oversight, but the audit committee already reviews continuous disclosure and the risk committee oversees enterprise risk. What is the best decision by the board?
Best answer: A
What this tests: Element 4 — Corporate Governance and Ethics
Explanation: ESG becomes relevant when it may affect the firm’s strategy, risk oversight, or public disclosure, not only when a standalone ESG rule exists. Here, the board should quickly assess materiality, use its existing committee structure, and ensure the filings contain only supportable statements.
ESG is relevant to governance and disclosure whenever an environmental, social, or governance matter could reasonably affect the firm’s strategy, risk profile, operations, reputation, or investors’ understanding of the issuer. In this scenario, shareholder focus, imminent public filings, and management’s proposed “sustainability leader” language make ESG a board-level issue now. The board does not need to wait for a separate prescriptive rule or create a new committee before acting. Instead, it should require a defensible materiality assessment, assign oversight through existing committees with clear mandates, and ensure disclosure matches actual practices and identified risks. That approach supports proper board oversight and reduces the risk of boilerplate or overstated ESG claims. The weaker choices either delay action, misclassify ESG as mere marketing, or add unnecessary governance structure.
Material ESG issues can affect governance and disclosure now, so the board should assess materiality promptly and disclose only supportable facts through its existing oversight structure.
Topic: Element 5 — Duties, Liabilities and Defences
A board of a Canadian Investment Dealer is deciding how to allocate capital among its OEO platform, institutional fixed-income desk, and corporate finance group. It wants a strategic tool that places each business unit on a grid using market growth and the firm’s relative market share so it can judge where to invest, hold, or exit. Which strategic analysis method best matches that purpose?
Best answer: C
What this tests: Element 5 — Duties, Liabilities and Defences
Explanation: The BCG growth-share matrix is a portfolio analysis tool used to compare business units based on market growth and relative market share. In this board-level capital allocation decision, it best fits the stated need to assess where the dealer should invest further, maintain its position, or reduce commitment.
This question tests matching a strategic tool to its function. The BCG growth-share matrix is specifically designed for multi-business organizations that want to compare business lines using two variables: market growth and relative market share. That makes it useful when a board is allocating scarce capital across units such as OEO, institutional trading, and corporate finance.
In practice, the tool helps leadership think about portfolio positioning:
The closest distractors are broader strategic frameworks, but they do not provide this specific portfolio grid for capital allocation across business units.
This matrix evaluates business units by market growth and relative market share to support invest, hold, or divest decisions.
Topic: Element 5 — Duties, Liabilities and Defences
A Director of North Shore Securities, an Investment Dealer, receives this update after an internal misconduct review.
Exhibit: General counsel memo
Which interpretation is best supported?
Best answer: A
What this tests: Element 5 — Duties, Liabilities and Defences
Explanation: The exhibit describes several different consequence tracks. The police review tied to possible Criminal Code fraud is the only item pointing to criminal liability; the CIRO matter, the securities regulator notice, the client lawsuits, and the Board leave decision are regulatory, civil, or governance responses.
Criminal-penalty analysis starts with the legal nature of the proceeding, not with how serious the allegation sounds. In the exhibit, the police request for records while assessing possible Criminal Code fraud charges is the only development that could lead to criminal prosecution and criminal sanctions if proven. By contrast, CIRO enforcement and the securities regulator’s notice are regulatory or administrative matters, even if they may result in severe sanctions such as fines, suspensions, or market prohibitions. The client claims are civil actions seeking damages, and the Board’s decision to place the UDP on leave is an internal governance measure. These tracks may exist at the same time; one does not automatically replace or delay the others. The key point is that punitive-looking consequences are not automatically criminal.
The memo identifies a possible Criminal Code matter separately from regulatory, civil, and governance consequences.
Topic: Element 6 — Risk Management and Internal Controls
A Canadian Investment Dealer is reviewing a board package for a new financing affiliate that will originate consumer receivables and sell them monthly into a securitization trust. The package says risk is controlled because the group will retain only a small first-loss piece, carry E&O and cyber insurance, and require annual employee attestations to policies. It includes volume forecasts, insurance certificates, and training plans, but no analysis of repurchase obligations, servicing duties, policy exclusions, or ongoing compliance testing. Which missing item is the most significant deficiency?
Best answer: B
What this tests: Element 6 — Risk Management and Internal Controls
Explanation: The key gap is the absence of a documented residual-risk assessment supported by independent compliance monitoring and escalation. Securitization and insurance transfer only defined risks, and annual attestations alone are not evidence that compliance controls are working.
This scenario tests whether the proposed risk tools are actually effective, not merely present. Securitization can reduce exposure, but a retained first-loss piece, repurchase obligations, and servicing responsibilities leave material residual risk. Insurance can absorb some losses, but only within policy limits and subject to exclusions, so it is not a substitute for understanding what remains uninsured. Compliance is effective only when policies are independently monitored, exceptions are identified, and issues are escalated; annual attestations by staff are not enough.
A better dashboard or more training would help, but neither cures the missing analysis and verification of residual risk.
This is required because securitization and insurance leave retained and excluded exposures, and annual attestations do not verify that compliance controls are effective.
Topic: Element 3 — Offering and Distribution of Securities
A reporting issuer’s governing corporate statute states that holders of at least 5% of the voting shares may require the corporation to call a special meeting. A shareholder group holding 7% submits a formal written request to replace two directors. Which shareholder-right concept best matches this situation?
Best answer: D
What this tests: Element 3 — Offering and Distribution of Securities
Explanation: This situation matches the statutory right to requisition a shareholder meeting. The group meets the stated ownership threshold and is using that right to bring a contested board issue before shareholders rather than waiting for the next annual meeting.
A meeting requisition right lets qualifying shareholders require the corporation to call a meeting so shareholders can vote on a specific matter, such as changes to board composition. Here, the statute expressly says holders of at least 5% of the voting shares can do this, and the group holds 7%, so the matching feature is the right to requisition a special meeting.
The other listed rights serve different functions:
The key distinction is that this fact pattern is about forcing a shareholder vote at a meeting, not suing over unfair conduct or exiting a transaction for fair value.
The group is using the statutory right to requisition a meeting because it meets the stated ownership threshold and seeks a shareholder vote on board composition.
Topic: Element 2 — Dealer Business Model
At a product committee chaired by the UDP, an Investment Dealer is considering adding a third-party private credit fund to its retail shelf. The fund offers monthly liquidity but may suspend redemptions in stressed markets. The issuer has provided a prospectus, a legal opinion, and marketing materials. The dealer has also seen rising complaints and concentration in a similar income product already on its shelf. Which action best aligns with expectations for new-product due diligence and ongoing risk assessment?
Best answer: D
What this tests: Element 2 — Dealer Business Model
Explanation: The best action is a documented, dealer-owned product governance process before launch and after launch. For a complex or potentially illiquid product, the firm should perform its own due diligence, define who the product is appropriate for, apply controls, and set triggers for ongoing reassessment of shelf products as risks evolve.
Product due diligence is not satisfied by receiving an issuer’s prospectus, legal opinion, or marketing package. An Investment Dealer should make its own risk-based decision on whether the product belongs on its shelf, how it may be sold, to whom, and under what controls. For a private credit fund with possible redemption limits, the committee should assess structure, liquidity mismatch, valuation, conflicts, compensation incentives, operational readiness, disclosure, training, and supervision. It should also establish post-launch monitoring for complaints, concentration, sales patterns, and changes in market conditions or product features, with escalation and reassessment triggers for both new and existing products.
Client-level suitability is important, but it does not replace firm-level product governance.
This reflects dealer-owned product governance: independent assessment before launch and defined ongoing monitoring and escalation after launch.
Topic: Element 6 — Risk Management and Internal Controls
An Investment Dealer plans to launch a leveraged institutional financing desk and, at the same time, move trade processing to a vendor-hosted platform. The sponsoring business heads want their project committee to approve the risk framework because they know the products and systems best. The Board Risk Committee wants the approach that best supports appropriate independent risk management over higher-risk business lines and critical infrastructure. Which action is most appropriate?
Best answer: B
What this tests: Element 6 — Risk Management and Internal Controls
Explanation: The key issue is independence. For a leveraged desk and an outsourced core platform, the firm should use a risk function separate from the sponsoring business to challenge assumptions, set limits and conditions, monitor exposures, and escalate material concerns to the Board Risk Committee.
Higher-risk business lines and critical infrastructure changes should not be effectively self-approved by the units that sponsor or profit from them. Durable governance expects the first line to own day-to-day risks, but independent risk management as the second line must provide objective challenge: assess readiness before launch, set or recommend conditions and limits, monitor ongoing exposures, and escalate material issues outside the business-line reporting chain. That independence is especially important where leverage, outsourcing, operational resilience, client impact, capital usage, or compliance risk could increase.
Internal audit is a third-line assurance function and generally tests whether the framework is working after it is in place. Vendor reports and management attestations can inform the review, but they do not replace firm-led independent risk assessment and escalation authority. Business expertise helps execution, but it cannot replace independent challenge.
Independent second-line oversight must be separate from the revenue and project owners, with authority to challenge, monitor, and escalate material concerns.
Topic: Element 6 — Risk Management and Internal Controls
The board of a Canadian Investment Dealer is reviewing its enterprise risk management package. The package includes a board-approved risk appetite statement, risk categories, assigned owners, key risk indicators with thresholds, and planned mitigations for each category. Quarterly dashboards compare actual results with the thresholds. However, the policy says business line heads may decide, using their own judgment, whether a threshold breach needs to be reported beyond their department. Which missing control is the clearest deficiency in the framework?
Best answer: A
What this tests: Element 6 — Risk Management and Internal Controls
Explanation: The decisive gap is the absence of a formal escalation process for breaches of risk limits or tolerances. A sound Investment Dealer risk framework must not leave reporting of breaches to first-line discretion once the board has approved appetite, metrics, and thresholds.
The core issue is governance over limit breaches. This framework already contains several important elements: board-approved risk appetite, identified risks, measurable indicators, thresholds, owners, and mitigations. But those elements do not operate as an effective control if a business head can decide whether a breach is reported.
A proper framework should make clear:
Risk appetite and tolerance must be translated into enforceable limits, and breaches of those limits must trigger a documented response. Peer data, more frequent reporting, and broader narrative can improve oversight, but they do not fix the primary control failure: unstructured breach escalation.
Board-approved limits are ineffective if first-line management can choose whether a breach is escalated or reported.
Topic: Element 4 — Corporate Governance and Ethics
Maple Crest Securities Ltd., a CIRO-regulated Investment Dealer, is preparing for a financing announcement. A shareholder holding 55% of the voting shares emails the chair demanding that an elected director be removed immediately and replaced before the announcement. The dealer’s bylaws state that a shareholder-elected director may be removed only by shareholders at a special meeting on 21 days’ notice, or by a written resolution signed by all voting shareholders. What is the board’s best next step?
Best answer: C
What this tests: Element 4 — Corporate Governance and Ethics
Explanation: The bylaws control how this director can be removed, and they require either a special meeting or unanimous written shareholder consent. Because only 55% of voting shareholders support immediate action, the board should use the special-meeting route and then deal with any vacancy through the proper governance process.
Corporate bylaws are the company’s operative rules for meetings, elections, removals, and related governance mechanics. When the bylaws reserve removal of a shareholder-elected director to shareholders, the board cannot replace that process with its own resolution just because a controlling shareholder wants speed.
In this case, the bylaws provide only two valid paths:
Because the request comes from only 55% of voting shareholders, the unanimous written-resolution route is unavailable. The proper next step is to initiate the special-meeting process, give the required notice, and address any resulting vacancy only after the removal has been validly approved. Majority support may affect the eventual vote, but it does not eliminate the bylaw procedure.
The bylaws require shareholder action for removal, so the board must use the special-meeting process unless all voting shareholders sign a written resolution.
Topic: Element 6 — Risk Management and Internal Controls
A Board risk committee of an Investment Dealer receives a memo on client asset segregation and trade-supervision controls:
Which deficiency should the Board identify as the most significant?
Best answer: B
What this tests: Element 6 — Risk Management and Internal Controls
Explanation: The decisive issue is the absence of a documented control framework that is periodically reviewed and formally approved. Board reporting and compliance testing are useful, but they do not satisfy the core requirement that key controls be written, adequate, reviewed, and approved.
For an Investment Dealer, Board oversight of internal controls starts with having a clear, documented control framework. If key controls exist only as local desk checklists that managers change on their own, the firm cannot reliably show consistency, adequacy, version control, or formal governance approval.
CIRO expectations are not met by informal practice alone. Core controls should be:
Quarterly testing and exception reporting are monitoring tools layered on top of the control framework; they do not replace the need for documented, approved controls. Richer reporting is helpful, but it is secondary to fixing the missing governance foundation.
Core controls cannot rely on informal local checklists; they must be documented, reviewed periodically, and formally approved.
Topic: Element 4 — Corporate Governance and Ethics
At a special board meeting, North Ridge Securities Ltd., an Investment Dealer, faces a governance dispute after one independent director resigns. The Chair also wants to add a new director with cyber-risk expertise before the next annual meeting.
Bylaw excerpt:
Which action best fits the board’s authority under these bylaws?
Best answer: A
What this tests: Element 4 — Corporate Governance and Ethics
Explanation: The decisive factor is authority under the bylaws. The board may fill an ordinary vacancy caused by a resignation, but a new seat created by expanding the board must be left for shareholder election.
Bylaws often distinguish between similar-looking governance actions by assigning authority differently. Here, the board has express authority to fill a mid-year vacancy caused by a resignation, so it can appoint a replacement director now. But the proposed cyber-risk seat would arise only because the board wants to increase the number of directors, and the bylaw expressly says that type of vacancy must be filled by shareholders.
A bylaw amendment does not change the immediate result under these facts, because any director-made amendment still has to go to shareholders at the next meeting. The key takeaway is to separate a true vacancy from a newly created seat and apply the bylaw language to each.
The bylaws permit the board to fill a resignation vacancy, but not a vacancy created by expanding the board.
Topic: Element 7 — Significant Areas of Risk
An Investment Dealer is lead underwriter on a bought deal for a listed issuer. To speed distribution, the head of investment banking emails a draft prospectus and the issuer’s unpublished quarterly results to equity research and several top-producing advisors so they can prepare client calls. No wall-crossing records were created, and the issuer was not placed on the firm’s restricted list. Bankers’ bonuses depend heavily on the deal closing. As UDP, what is the primary significant risk and the best immediate response?
Best answer: B
What this tests: Element 7 — Significant Areas of Risk
Explanation: The key red flag is a breakdown in information barriers around material non-public information during a corporate finance mandate. Because unpublished results were shared to research and advisors without proper controls, the UDP should first contain the exposure by stopping related activity, restricting the issuer, and escalating the breach.
This scenario primarily raises corporate finance and compliance risk tied to MNPI leakage. The most serious fact is not the underwriting commitment or the bonus structure; it is that unpublished issuer results were distributed beyond a controlled need-to-know group without wall-crossing documentation or a restricted-list entry. That creates an immediate risk of improper research activity, client solicitation, or trading while the firm possesses confidential issuer information.
The first priority is containment and escalation:
Liquidity, compensation, and file-security issues may also matter, but they are secondary to the immediate MNPI control failure.
Unpublished issuer results were shared without wall-crossing or restricted-list controls, so the urgent issue is containing MNPI exposure and escalating it immediately.
Topic: Element 2 — Dealer Business Model
An Investment Dealer plans to add a daily-reset leveraged inverse ETF to its retail shelf for advised and online channels. Internal product notes say the ETF is designed for short-term, sophisticated investors, may behave unpredictably if held for more than one day, and can generate large losses in volatile markets. The head of distribution wants to allow purchases in all retail accounts at launch if clients complete a click-through risk acknowledgement. Which action best aligns with sound product-governance expectations?
Best answer: A
What this tests: Element 2 — Dealer Business Model
Explanation: The best action is a proactive product-governance review before launch. Because the ETF’s risks depend on product mechanics, holding period, and investor sophistication, the firm should define the target market, approved account usage, and supporting controls before clients can access it.
The core principle is that a firm must match how a product is developed and delivered to the product’s real risk characteristics. A daily-reset leveraged inverse ETF is a complex product whose performance can diverge sharply from client expectations when it is held longer than intended, so disclosure alone is not enough. Senior management should require a documented review that identifies the target market, appropriate channels and account types, investor knowledge needs, and key risks such as volatility, leverage effects, and holding-period sensitivity. Before launch, the firm should also put in place training, supervision, and surveillance designed for those risks. The key takeaway is that product governance is preventative: the firm should control distribution and account usage upfront rather than rely mainly on client acknowledgements or react after harm occurs.
Complex products should have pre-launch controls that match distribution, account use, and supervision to the product’s actual risk characteristics.
Topic: Element 1 — General Regulatory Framework
Which statement best describes the purpose of Canada’s Competition Act?
Best answer: B
What this tests: Element 1 — General Regulatory Framework
Explanation: The Competition Act is aimed at preserving competitive markets and addressing conduct that undermines consumers and market fairness. Its purpose is broader than dealer solvency, prospectus regulation, or securities-law offences alone.
The core idea is competition policy, not securities licensing or prudential supervision. Canada’s Competition Act is designed to promote fair and efficient competition, protect consumers from harmful marketplace conduct, encourage innovation, and help preserve confidence in market integrity. It does this by addressing practices such as anti-competitive agreements, abuse of dominance, and deceptive marketing.
For Directors and Executives, the key distinction is that the Act focuses on how firms compete and market their products and services. It is not the statute that sets capital requirements for dealers, governs prospectus filings, or serves as the sole source of securities-market misconduct rules. Those functions arise under other regulatory frameworks. The best answer is the one that reflects the Act’s broad competition and consumer-protection purpose.
This best captures the Act’s broad purpose of maintaining competitive markets while addressing conduct that harms consumers and market integrity.
Topic: Element 8 — UDP Responsibilities
Within CIRO’s oversight framework, annual risk questionnaires and risk trend reports are primarily used to:
Best answer: D
What this tests: Element 8 — UDP Responsibilities
Explanation: Annual risk questionnaires and risk trend reports are supervisory planning tools. They help CIRO identify higher-risk areas and tailor examination work and information requests, which reduces duplication and minimizes business disruption.
The core concept is risk-based regulatory oversight. Annual risk questionnaires and risk trend reports give CIRO current information about a firm’s business model, control environment, and emerging risks so it can plan examinations more efficiently. That allows the regulator to focus on areas that matter most, ask for information that is more targeted, and avoid repeatedly requesting the same material unnecessarily. For a UDP and senior management, these tools matter because accurate, timely reporting can improve examination planning and reduce operational disruption while still supporting effective oversight.
The closest confusion is treating these tools as internal governance documents; they inform regulatory examination planning rather than setting the firm’s own risk appetite.
These tools help CIRO focus examinations on higher-risk areas, which reduces duplicate requests and limits disruption to the firm’s business activities.
Topic: Element 7 — Significant Areas of Risk
An Investment Dealer relies on one cloud vendor for client onboarding, trade confirmations, daily books and records, and several regulatory reports. The firm had two short outages in one month, internal audit found no tested fallback process, and the COO says fixing the issue now would delay a major product launch. The board’s risk appetite states low tolerance for disruptions affecting clients, regulatory reporting, or market access. Management proposes treating this as an ordinary technology issue and updating the board at year-end. What is the best board response?
Best answer: C
What this tests: Element 7 — Significant Areas of Risk
Explanation: This vendor dependency affects several critical activities at once, including client service, books and records, and regulatory reporting. Because the risk is cross-functional, already showing warning signs, and outside the board’s stated risk tolerance, it deserves special governance attention now.
Significant areas of risk require special governance attention when they could materially harm the dealer across more than one dimension, such as clients, compliance, operations, capital, or reputation. Here, one vendor supports several critical processes, outages have already occurred, and there is no tested fallback. That means the issue is not just a routine technology matter; it is an enterprise risk with potential regulatory and client consequences.
The board should ensure:
Waiting for actual harm, relying on a normal audit cycle, or limiting the response to contract negotiation would understate the firm’s exposure and weaken governance.
This issue could materially affect multiple critical functions at once, so it requires enhanced governance rather than routine project monitoring.
Topic: Element 8 — UDP Responsibilities
An Investment Dealer’s UDP ensures the firm’s annual risk questionnaire and risk trend report are complete, candid, and submitted on time. The filing highlights rapid growth in options trading, a new outsourced cybersecurity provider, and an unresolved branch supervision weakness, and it explains the firm’s remediation plan. What is the most likely consequence for CIRO’s next examination of the firm?
Best answer: B
What this tests: Element 8 — UDP Responsibilities
Explanation: Annual risk questionnaires and risk trend reports are meant to help CIRO plan examinations on a risk-sensitive basis. When the UDP provides a complete and candid picture, CIRO can target its review and avoid asking multiple business units for the same information, which helps minimize disruption.
The core concept is risk-based examination planning. CIRO uses the annual risk questionnaire and risk trend report to understand a dealer’s business model, emerging risks, control weaknesses, and remediation status before the exam begins. If the UDP ensures those tools are accurate, timely, and sufficiently detailed, CIRO can focus its examination on the areas that matter most and tailor document requests accordingly.
That improves efficiency in two ways:
Disclosure of issues does not itself eliminate regulatory scrutiny, change capital treatment, or guarantee a lighter exam. It mainly improves planning, targeting, and coordination.
Complete and accurate risk reporting helps CIRO focus its examination plan on the firm’s actual risk areas instead of making broader, duplicative requests.
Topic: Element 4 — Corporate Governance and Ethics
An Investment Dealer’s bylaws provide that any contract over $1 million binds the corporation only if signed by the CEO and CFO together, or by an officer expressly authorized by board resolution. The COO, acting alone and without a board resolution, signs a $4 million outsourcing agreement. The vendor had reviewed the bylaw excerpt during negotiations and knew the COO lacked that authority. What is the most likely consequence for the corporation?
Best answer: C
What this tests: Element 4 — Corporate Governance and Ethics
Explanation: Bylaws can limit who has authority to bind the corporation. Because the vendor knew the COO lacked the required signing authority, the firm can challenge whether it is bound unless the board ratifies the deal. Indemnification or liability-limitation language does not fix the authority problem.
Corporate bylaws can restrict which officers may bind the corporation. Here, the bylaw clearly required either the CEO and CFO together or specific board authorization for contracts above $1 million, and the vendor knew the COO had neither. That makes the immediate consequence an authority problem: the corporation has a strong basis to dispute whether the outsourcing agreement is binding unless the board later ratifies it.
The closest trap is treating indemnity or exculpation as a substitute for proper signing authority.
Because the vendor knew the COO lacked the bylaw-required authority, the firm can dispute being bound unless the board ratifies the agreement.
Topic: Element 2 — Dealer Business Model
The board of a Canadian Investment Dealer wants more recurring revenue, but it has a low risk appetite for unmanaged conflicts and requires any new compensation model to be defensible through disclosure and supervision. Management proposes moving many advisory clients from commissions into fee-based or negotiated flat-fee accounts, paying advisors a quarterly bonus based only on net new assets moved into those accounts, entering referral-fee arrangements with an affiliated estate-planning firm, and using client brokerage commissions in a soft-dollar arrangement to buy third-party research and branch tablets. An internal review found that the move would benefit some clients but not others, and branch referral disclosures are inconsistent. What is the single best decision for the board?
Best answer: A
What this tests: Element 2 — Dealer Business Model
Explanation: Recurring-fee models can improve revenue stability, but the board cannot approve them on economics alone. The best response is to redesign the plan so fee-based or flat-fee pricing fits the client, bonus design does not reward unsuitable switches, referral arrangements are properly disclosed, and soft-dollar benefits are limited to eligible research or execution services.
Compensation oversight at the board level means making each pay structure workable within the firm’s conflict-management and supervisory framework. Here, moving clients to fee-based or negotiated flat-fee accounts may be appropriate for some households, but the internal review shows it is not automatically better for all clients, so the dealer needs suitability criteria, stated service levels, and ongoing monitoring after migration. A bonus tied only to assets moved into those accounts creates a one-way incentive that can distort recommendations, so the metric should be rebalanced and supervised. Referral-fee arrangements with an affiliate need a formal arrangement and clear client disclosure of the relationship and compensation. Soft-dollar arrangements are not a general budget source; client brokerage commissions should be used only for eligible research or execution-related benefits, not branch tablets. The key mistake is treating disclosure alone as a cure for conflicted design.
This response addresses the core requirement for each structure: client-fit for fee accounts, controlled incentives, proper referral disclosure, and permitted soft-dollar use only.
Topic: Element 5 — Duties, Liabilities and Defences
North Ridge Securities, an investment dealer, is sued after an underwriting disclosure error. A director who sat on the due diligence committee asks for a side letter stating the firm will cover any defence costs, settlement, judgment, or regulatory penalty, even if the director is later found to have acted in bad faith. Counsel advises that the bylaws permit indemnification only to the extent allowed by law and allow defence-cost advances only with a written repayment undertaking. Which board action best aligns with sound limitation-of-liability practice?
Best answer: B
What this tests: Element 5 — Duties, Liabilities and Defences
Explanation: The board should not promise blanket protection that overrides legal limits on indemnification. The best approach is an independent, documented review that authorizes only those advances or indemnity rights permitted by law and the firm’s bylaws, including a repayment undertaking for advanced costs.
Indemnification is meant to protect directors and Executives who acted properly, not to erase liability for bad-faith or unlawful conduct. In this scenario, the board should not give an unconditional side letter. Instead, it should have independent directors or a committee assess the request, confirm what the governing law and bylaws allow, and approve only lawful advancement of defence costs or indemnity. Where advances are permitted, a written undertaking to repay is an important safeguard if the legal standard for indemnification is ultimately not satisfied. This approach also creates a clear record that the board exercised judgment and respected fiduciary and governance limits. By contrast, a blanket promise or a hands-off approach would improperly bypass those limits.
It protects the director within legal limits while avoiding an unenforceable promise to cover bad-faith or unlawful conduct.
Topic: Element 3 — Offering and Distribution of Securities
The Board of a public issuer that owns an Investment Dealer is reviewing the management information circular for a proposed continuance and amalgamation.
Exhibit: Corporate secretary memo excerpt
Based on the exhibit, what is the only supported Board action before the circular is mailed?
Best answer: C
What this tests: Element 3 — Offering and Distribution of Securities
Explanation: When a transaction gives shareholders a statutory dissent right, the Board should ensure the circular clearly explains that right and how it is preserved. Here, the exhibit says the right depends on steps taken before the vote, so omitting those steps would impair informed shareholder decision-making.
A Board approving a circular for a fundamental transaction must consider not just the deal merits, but also whether shareholders are being given fair and usable disclosure about their statutory rights. In the exhibit, the dissent right is tied to specific preconditions: the shareholder must object before the vote and must not vote in favour. That makes the procedure itself material. If the circular omits how to preserve the right, shareholders could lose a remedy simply because the Board-approved disclosure was incomplete. The Board does not need to wait for any later fair-value process to occur; it should require the circular to explain the right and the steps needed to keep it. A summary of transaction benefits and the voting threshold alone is not sufficient.
Because the right can be lost if shareholders miss the stated pre-vote conditions, the Board should require clear disclosure before mailing.
Topic: Element 5 — Duties, Liabilities and Defences
A Canadian Investment Dealer is lead underwriter for a bought-deal prospectus offering and is also advising the issuer on a shareholder meeting for a related acquisition. The dealer’s board has approved a low appetite for disclosure-driven legal risk, but the issuer is pushing to file and mail today because of a looming liquidity covenant. The underwriting due diligence committee has not interviewed the independent engineer whose report is cited in the prospectus, the draft proxy circular omits a CEO side agreement tied to the acquisition, and the issuer has not answered a shareholder’s valid request under the applicable corporation act to inspect meeting records. What is the best decision for the dealer’s Executive sponsor?
Best answer: A
What this tests: Element 5 — Duties, Liabilities and Defences
Explanation: The best response is to stop and escalate until the record supports a reasonable due diligence defence and accurate disclosure. Known gaps in an expertised prospectus section, a material proxy omission, and an unanswered corporation-law request create liability risk that legal opinions, indemnities, or a smaller deal do not cure.
Directors and Executives should not let timing pressure override a defensible diligence and disclosure process. Here, the dealer has active red flags in both the offering and meeting materials: incomplete underwriting due diligence, unsupported reliance on an expert report, a material omission in the proxy circular, and an unanswered valid shareholder request under the corporation act. The best governance response is to pause the mandate and condition further participation on fixing those issues and documenting the remediation.
A sound response would require the team to:
The key takeaway is that process defects known before filing or mailing can undermine available defences; they are not cured by speed, indemnities, or narrower economics.
Known diligence and disclosure red flags should be fixed and documented before the dealer proceeds with filing or mailing.
Topic: Element 7 — Significant Areas of Risk
An Investment Dealer’s risk appetite statement says trading inventory limits are “monitored by management and reported to the Board as needed.” It does not assign a specific Executive owner for the limit framework or a Board committee to review breaches. After repeated overnight inventory limit breaches, the CFO assumes the COO will escalate them and the COO assumes the audit committee will see them later. CIRO identifies this during an examination. What is the most likely consequence?
Best answer: B
What this tests: Element 7 — Significant Areas of Risk
Explanation: When a significant risk has no clearly assigned owner at management or Board level, breaches can go unescalated and oversight breaks down. In a CIRO examination, the most likely immediate consequence is a governance and control deficiency requiring the firm to assign responsibility, oversight, and escalation procedures.
Governance for significant risks is not satisfied by having a limit alone. The firm must clearly allocate who owns the risk in management, which Board committee oversees it, and how breaches are escalated. Here, the policy left responsibility vague by referring only to “management” and reporting to the Board “as needed,” so repeated breaches were not clearly escalated or challenged.
In this situation, the most likely first consequence is a regulatory finding that governance and internal controls are inadequate, followed by required remediation such as:
An internal limit breach does not, by itself, automatically create an early warning outcome or automatic personal liability for Directors.
The immediate issue is unclear allocation of a significant risk, so the most likely outcome is a governance remediation finding requiring defined ownership and escalation.
Topic: Element 6 — Risk Management and Internal Controls
An Investment Dealer’s internal audit identifies repeat exceptions in cash movement approvals. The control is being performed through informal emails, is not documented in the firm’s procedures, has not been reviewed or approved by the Board, and has not been reported to the Board for six months. No client loss or capital breach has occurred. If CIRO finds this during an examination, what is the most likely consequence?
Best answer: A
What this tests: Element 6 — Risk Management and Internal Controls
Explanation: The most likely immediate consequence is a CIRO finding that the firm’s internal-control and governance framework is deficient. Controls are expected to be adequate, written, reviewed, approved, and escalated to the Board when significant deficiencies remain unresolved.
The key issue is not whether harm has already occurred; it is whether the firm can demonstrate an effective control environment and proper Board oversight. Here, the control is informal, undocumented, not Board-reviewed or approved, and left unreported despite repeat exceptions. That combination supports a regulatory finding that the firm’s internal controls and governance are deficient.
In practice, the immediate consequence is usually supervisory remediation, not an automatic capital penalty or transaction unwind. CIRO would typically expect the firm to formalize the control, document it, ensure appropriate review and approval, and evidence that the Board has been informed so it can oversee remediation.
The main takeaway is that weak controls become a governance problem as soon as they are material and unresolved, even before client loss or capital impact appears.
CIRO would most likely treat the unresolved, undocumented, unreported control weakness as a governance and internal-controls deficiency requiring Board-level remediation.
Topic: Element 4 — Corporate Governance and Ethics
An Executive of an Investment Dealer wants to accept an unpaid position as director of a private family holding company. The role is outside the dealer, and the firm notes it could create conflicts or interfere with the Executive’s duties if circumstances change. Which statement best matches CIRO requirements?
Best answer: B
What this tests: Element 4 — Corporate Governance and Ethics
Explanation: This external directorship fits CIRO’s outside-activity concept because it is a role outside the dealer that may create conflicts or interfere with the Executive’s responsibilities. CIRO expects firm review and approval before the role begins, with prompt disclosure updates if the role or its risk profile changes.
For Directors and Executives, CIRO expects firms to view outside activities broadly. A role can be an outside activity whether it is paid or unpaid if it is outside the dealer and could create conflicts of interest, client confusion, or impair the individual’s ability to carry out dealer responsibilities.
In this case, the external directorship should be assessed before it starts. The firm should:
Waiting for annual reporting or for the outside entity to become a client misses the pre-approval and ongoing disclosure expectations.
An external paid or unpaid role that may create conflicts or affect dealer duties must be treated as an outside activity, approved before it starts, and kept accurately disclosed.
Topic: Element 4 — Corporate Governance and Ethics
Assume the Board composition otherwise meets applicable requirements. Maple Crest Securities, a small Investment Dealer, receives this memo:
Exhibit: Governance memo
Which Board response is best supported?
Best answer: B
What this tests: Element 4 — Corporate Governance and Ethics
Explanation: A small Investment Dealer can scale its governance structure to fit its size and business model, so the full Board may handle more than one oversight function. However, outsourcing operations to a carrying broker does not shift the Board’s accountability for monitoring outsourced risks and controls.
The core governance issue is proportional oversight. Small Investment Dealers do not need to mirror the committee structure of a large firm if the Board can still provide effective, documented oversight and independent challenge. In the exhibit, having the full Board cover both audit and risk matters can be reasonable, and quarterly in-camera sessions led by the independent director support independent challenge. The unsupported part is discontinuing the annual outsourcing-risk review. A carrying broker or other service provider may perform functions, but the Board remains responsible for overseeing the risks, controls, and performance of material outsourced arrangements. The best interpretation is to keep the streamlined structure while preserving formal Board oversight of outsourcing. The closest trap is assuming outsourcing changes who remains accountable.
Small dealers may combine Board oversight functions, but outsourcing does not remove the Board’s duty to review outsourced risks.
Topic: Element 6 — Risk Management and Internal Controls
An Investment Dealer’s Board is asked to approve the acquisition of a digital advice platform. The board package contains:
The firm’s governance framework requires material growth initiatives to show how they fit within approved risk appetite and how value would be protected if results deteriorate. Which missing element is the clearest deficiency in the package?
Best answer: B
What this tests: Element 6 — Risk Management and Internal Controls
Explanation: For a material growth initiative, directors need more than projected upside and a list of risks. They need a risk-adjusted assessment showing whether the proposal fits within approved risk appetite and how capital and franchise value will be protected if outcomes deteriorate.
Growth should be evaluated on a risk-adjusted basis, not just on expected revenue or synergies. In this scenario, the decisive gap is the absence of downside analysis linked to approved risk appetite, capital impact, and clear escalation triggers. A simple list of risks tells the Board what could go wrong, but it does not show whether the firm can absorb adverse outcomes while preserving value.
Execution details can improve implementation, but they do not answer the core governance question: does this growth plan create value after considering risk, and is there a framework to preserve value if it underperforms?
Without this, directors cannot judge whether the acquisition creates value within risk appetite or preserves firm value if performance weakens.
Topic: Element 2 — Dealer Business Model
A product due diligence policy that reflects an Investment Dealer’s business model is one that:
Best answer: D
What this tests: Element 2 — Dealer Business Model
Explanation: A policy that reflects the business model is not generic. It is designed around the dealer’s actual products, clients, service offerings, and distribution channels so that product approval and ongoing review address the risks the firm really takes on.
The core idea is tailoring. Product due diligence policies and procedures should match the Investment Dealer’s actual business activities, including the types of products it offers, the clients it serves, the way it provides advice or execution, and the channels through which products are distributed. A dealer serving retail clients with complex products may need deeper review, stronger approval controls, and closer monitoring than a dealer focused on simpler institutional offerings. Issuer disclosure is useful, but it does not replace the dealer’s own assessment. And advisor-level suitability is a separate obligation from firm-level product due diligence. The key takeaway is that the policy must fit the firm’s real operating model, not a generic checklist.
This is correct because product due diligence must be calibrated to how the dealer actually offers, distributes, and supervises products.
Topic: Element 5 — Duties, Liabilities and Defences
The chair of an Investment Dealer’s risk committee received three written escalations over four months: unresolved segregation breaks, repeat breaches of an internal liquidity limit, and a CCO memorandum stating that management had missed its remediation dates. She asked management to keep the board informed but did not require a written action plan, independent testing, or committee follow-up before signing the annual control report. A later CIRO examination finds the same issues persisted. If she argues that she relied on management and exercised business judgment, what is the most likely consequence?
Best answer: D
What this tests: Element 5 — Duties, Liabilities and Defences
Explanation: The chair had repeated written warnings, knew remediation deadlines had been missed, and still failed to require or document meaningful follow-up. In that setting, passive reliance on management is usually unreasonable, so her defence is less likely to protect her from regulatory findings about inadequate oversight.
Reasonable reliance and the business judgment rule depend on process, not title or intent. Directors and committee chairs may rely on management and experts when the matter appears routine and there is no clear reason to doubt the information or remediation. Here, the chair had multiple written escalations, knew deadlines had been missed, and failed to require a plan, independent testing, or documented follow-up in an area squarely within her oversight mandate. Those facts make the issue a red-flag oversight problem.
Once red flags are known, a senior oversight person is expected to probe, challenge, escalate, and ensure remediation. Business judgment does not protect inattention, and delegation does not erase accountability. A capital or reputational impact could arise later for the firm, but the immediate consequence is that her defence is weak and individual regulatory exposure becomes more likely.
Repeated warnings and missed remediation made passive reliance unreasonable for a committee chair responsible for challenge and follow-up.
Topic: Element 8 — UDP Responsibilities
An Investment Dealer failed an early warning liquidity test after a lender cut an intraday financing line. The parent can inject $6 million immediately, but the board had already approved a special dividend to the parent next week and management wants to close a small acquisition that would add fixed costs this month. CIRO has already designated the firm in early warning, required weekly reporting, and told the UDP that the designation will not be lifted until the firm has passed all early warning tests for 20 consecutive business days and CIRO is satisfied the funding concentration issue has been remediated. What is the single best recommendation for the UDP to make to the board?
Best answer: A
What this tests: Element 8 — UDP Responsibilities
Explanation: The best response is to treat the early warning designation as continuing until CIRO lifts it, even after fresh capital is injected. Because CIRO tied lifting to both sustained test compliance and remediation of the funding concentration issue, the board should pause the dividend and acquisition and focus on remediation and reporting.
Early warning is a supervisory designation, not just a one-day capital calculation. Once CIRO has designated the dealer and stated the conditions for release, the firm should act on the basis that restrictions remain in force until CIRO lifts the designation. A capital injection helps restore financial strength, but it does not by itself permit a special dividend or an acquisition that increases fixed costs while the root cause remains unresolved.
The UDP should:
Only after the firm satisfies the stated test period and CIRO is satisfied with remediation should management seek lifting of the designation. The closest trap is focusing only on the next clean test result rather than on CIRO’s continuing discretion and stated release conditions.
A capital infusion does not end an early warning designation, so the UDP should maintain restrictions, fix the root cause, and wait for CIRO to lift it.
Topic: Element 1 — General Regulatory Framework
What is FINTRAC’s primary role in the Canadian regulatory framework?
Best answer: C
What this tests: Element 1 — General Regulatory Framework
Explanation: FINTRAC’s purpose is financial intelligence for anti-money laundering and anti-terrorist financing in Canada. It receives prescribed reports, analyzes them, and can disclose relevant intelligence to authorized recipients; it does not investigate market fraud, resolve client complaints, or prudentially supervise institutions.
FINTRAC is Canada’s financial intelligence unit. Its core function is to receive prescribed reports from reporting entities, analyze that information for patterns linked to money laundering or terrorist financing, and disclose relevant intelligence when legal thresholds are met. For Investment Dealer leadership, FINTRAC is important because AML and anti-terrorist financing controls, reporting, recordkeeping, and escalation must be effectively designed and overseen.
The other agencies listed have different mandates: IMET focuses on serious market-fraud investigations, OBSI handles independent complaint resolution, and OSFI is a prudential supervisor for federally regulated financial institutions. The key distinction is that FINTRAC is an intelligence and reporting body, not a complaint handler, prudential regulator, or police investigative unit.
FINTRAC is Canada’s financial intelligence unit for money laundering and terrorist financing reporting and analysis.
Topic: Element 8 — UDP Responsibilities
The UDP of a Canadian Investment Dealer reviews a quarterly board package. It notes repeat failures at two branches to update KYC information before suitability alerts were overridden. The same issue appeared in each of the prior two quarters. Management proposes to “coach advisors” and mark the matter closed at quarter-end. The package sets no remediation deadlines, no compliance re-test, and no escalation because no client loss has yet been confirmed.
Which missing control is the clearest deficiency in the firm’s compliance system?
Best answer: A
What this tests: Element 8 — UDP Responsibilities
Explanation: The decisive gap is the absence of a formal escalation and remediation process for a recurring compliance breach. A UDP must ensure significant issues are time-bound, independently challenged, and not closed by the business line without compliance verification simply because client harm is not yet proven.
A UDP must establish and maintain an effective compliance system and culture, not simply react after a complaint or confirmed loss. That means recurring or significant compliance issues must be formally escalated, assigned to an owner, tracked with deadlines, and independently verified before they are closed. In this scenario, the same KYC and suitability-control failure has repeated for three quarters, yet management plans only coaching and self-declared closure. That is a control weakness in the compliance framework itself.
A sound process would require documented remediation steps, compliance re-testing, and escalation of unresolved or material issues to the UDP and, where appropriate, the board or a committee. More reporting or training may help, but they do not fix the missing discipline around escalation and verified closure.
Recurring compliance breaches require documented escalation, assigned remediation, deadlines, and independent verification before closure.
Topic: Element 4 — Corporate Governance and Ethics
An Investment Dealer has been engaged on a confidential underwriting. The UDP wants Compliance to track the issuer for heightened surveillance and pre-clearance review, without broadly alerting sales, trading, or research that the firm may hold sensitive information. Which control best matches that function?
Best answer: A
What this tests: Element 4 — Corporate Governance and Ethics
Explanation: A confidential watch list is used when the dealer may have material non-public information and Compliance needs enhanced monitoring without widely signaling that status internally. It supports surveillance and approvals while preserving information containment on a need-to-know basis.
The key concept is matching the control to its function. A confidential watch list is typically maintained by Compliance for issuers connected to sensitive mandates or other potential material non-public information. It helps the firm monitor trading, approvals, and escalation discreetly, so the existence of the mandate is not unnecessarily spread across the organization.
A restricted list is a stronger control used when the firm needs explicit limits on trading, research publication, or other activity. An information barrier is the structural separation between functions, such as corporate finance and research, rather than an issuer-specific monitoring list. A clean room is a tightly controlled place for sharing diligence materials, not the main surveillance tool for confidential issuer monitoring.
The closest distractor is the restricted list, but that control is generally more overt and restrictive than the stem requires.
A watch list lets Compliance monitor a potentially sensitive issuer confidentially without imposing broader visible restrictions unless risk escalates.
Topic: Element 4 — Corporate Governance and Ethics
The board of a Canadian investment dealer is reviewing strategy after a vendor cyber incident, employee misconduct complaints, and more client questions about climate-related exposure in issuers. The chair reminds directors that ESG oversight should be tied to the firm’s business and risks. Which statement by an Executive is INCORRECT?
Best answer: D
What this tests: Element 4 — Corporate Governance and Ethics
Explanation: For directors and executives, ESG is not just a branding topic. They should consider material environmental, social, and governance issues where those issues affect strategy, risk management, controls, culture, or disclosure, even if no rule requires a specific ESG metric.
The core concept is materiality and oversight. For a Director or Executive at an investment dealer, ESG considerations matter when they can affect the firm’s strategy, operations, reputation, compliance, disclosures, or stakeholder relationships. That can include environmental issues, but it also includes social and governance matters such as conduct, privacy, cybersecurity, conflicts, workplace culture, and third-party oversight.
Directors may rely on management’s analysis, but they still need to ask questions, challenge assumptions, and ensure the firm has appropriate controls and reporting. ESG oversight does not need to sit in a stand-alone committee to be relevant; it can be embedded in risk, audit, governance, and disclosure processes. The weak statement is the one treating ESG as merely marketing unless a rule prescribes a metric.
ESG is relevant whenever it affects strategy, risk, controls, culture, or disclosure, even without a specific mandated metric.
Use the CIRO Director Practice Test page for the full Securities Prep route, mixed-topic practice, timed mock exams, explanations, and web/mobile app access.
Use the full Securities Prep practice page above for the latest review links and practice route.